garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

more reference tags, fixes issue #268

Browse Source
This commit is contained in:
Christian Mehlmauer
2013-08-24 11:16:39 +02:00
parent 115241f16c
commit a032b7c134
17 changed files with 3731 additions and 1418 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2991
data/plugin_vulns.xml
View File

File diff suppressed because it is too large Load Diff

716
data/theme_vulns.xml
View File

File diff suppressed because it is too large Load Diff

49
data/vuln.xsd
View File

@@ -8,12 +8,22 @@
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="inttype">
<xs:restriction base="xs:positiveInteger" />
</xs:simpleType>
<xs:simpleType name="uritype">
<xs:restriction base="xs:anyURI">
<xs:minLength value="1" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="cvetype">
<xs:restriction base="xs:token">
<xs:pattern value="[0-9]{4}-[0-9]{4,}"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="typetype">
<xs:restriction base="stringtype">
<xs:enumeration value="SQLI"/>
@@ -34,37 +44,50 @@
</xs:simpleType>
<xs:complexType name="itemtype">
<xs:sequence>
<xs:element name="vulnerability" type="vulntype" maxOccurs="unbounded" minOccurs="1" />
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element name="vulnerability" type="vulntype" />
</xs:sequence>
<xs:attribute type="stringtype" name="name" use="required"/>
</xs:complexType>
<xs:complexType name="wordpresstype">
<xs:sequence>
<xs:element name="vulnerability" type="vulntype" maxOccurs="unbounded" minOccurs="1" />
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element name="vulnerability" type="vulntype"/>
</xs:sequence>
<xs:attribute type="stringtype" name="version" use="required"/>
</xs:complexType>
<xs:complexType name="vulntype">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="title" type="stringtype"/>
<xs:element name="reference" type="uritype" maxOccurs="unbounded" minOccurs="1"/>
<xs:element name="metasploit" type="stringtype" maxOccurs="unbounded" minOccurs="0"/>
<xs:element name="cve" type="stringtype" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="type" type="typetype"/>
<xs:element name="fixed_in" type="stringtype" minOccurs="0" maxOccurs="1"/>
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:choice>
<xs:element name="title" type="stringtype"/>
<xs:element name="type" type="typetype"/>
<xs:element name="fixed_in" type="stringtype"/>
<xs:element name="references" type="referencetype"/>
</xs:choice>
</xs:sequence>
</xs:complexType>
<xs:complexType name="referencetype">
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:choice>
<xs:element name="url" type="uritype" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="cve" type="cvetype" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="secunia" type="inttype" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="osvdb" type="inttype" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="metasploit" type="stringtype" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="exploitdb" type="inttype" minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
</xs:sequence>
</xs:complexType>
<xs:element name="vulnerabilities">
<xs:complexType>
<xs:sequence>
<xs:choice>
<xs:element name="plugin" type="itemtype" maxOccurs="unbounded" minOccurs="0"/>
<xs:element name="theme" type="itemtype" maxOccurs="unbounded" minOccurs="0"/>
<xs:element name="wordpress" type="wordpresstype" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:choice>
</xs:complexType>
<xs:unique name="uniquePlugin">
<xs:selector xpath="plugin"/>

1110
data/wp_vulns.xml
View File

File diff suppressed because it is too large Load Diff

28
lib/common/models/vulnerability.rb
View File

@@ -5,24 +5,20 @@ require 'vulnerability/output'
class Vulnerability
include Vulnerability::Output
attr_accessor :title, :references, :type, :fixed_in, :metasploit_modules, :cve
attr_accessor :title, :references, :type, :fixed_in
#
# @param [ String ] title The title of the vulnerability
# @param [ String ] type The type of the vulnerability
# @param [ Array ] references References urls
# @param [ Array ] metasploit_modules Metasploit modules for the vulnerability
# @param [ Hash ] references References
# @param [ String ] fixed_in Vuln fixed in Version X
# @param [ Array ] cve CVE numbers for the vulnerability
#
# @return [ Vulnerability ]
def initialize(title, type, references, metasploit_modules = [], fixed_in = '', cve = [])
def initialize(title, type, references = {}, fixed_in = '')
@title = title
@type = type
@references = references
@metasploit_modules = metasploit_modules
@fixed_in = fixed_in
@cve = cve
end
# @param [ Vulnerability ] other
@@ -33,9 +29,7 @@ class Vulnerability
title == other.title &&
type == other.type &&
references == other.references &&
fixed_in == other.fixed_in &&
cve == other.cve &&
metasploit_modules == other.metasploit_modules
fixed_in == other.fixed_in
end
# :nocov:
@@ -45,13 +39,21 @@ class Vulnerability
#
# @return [ Vulnerability ]
def self.load_from_xml_node(xml_node)
references = {}
refs = xml_node.search('references')
if refs
references[:url] = refs.search('url').map(&:text)
references[:cve] = refs.search('cve').map(&:text)
references[:secunia] = refs.search('secunia').map(&:text)
references[:osvdb] = refs.search('osvdb').map(&:text)
references[:metasploit] = refs.search('metasploit').map(&:text)
references[:exploitdb] = refs.search('exploitdb').map(&:text)
end
new(
xml_node.search('title').text,
xml_node.search('type').text,
xml_node.search('reference').map(&:text),
xml_node.search('metasploit').map(&:text),
references,
xml_node.search('fixed_in').text,
xml_node.search('cve').map(&:text)
)
end

46
lib/common/models/vulnerability/output.rb
View File

@@ -7,16 +7,28 @@ class Vulnerability
def output
puts ' |'
puts ' | ' + red("* Title: #{title}")
references.each do |r|
puts ' | ' + red("* Reference: #{r}")
end
cve.each do |c|
puts ' | ' + red("* CVE-#{c} - #{Output.cve_url(c)}")
end
metasploit_modules.each do |m|
puts ' | ' + red("* Metasploit module: #{Output.metasploit_module_url(m)}")
end
end
references.each do |key, urls|
urls.each do |u|
case(key)
when :url
url = u
when :metasploit
url = Output.metasploit_module_url(u)
when :secunia
url = Output.secunia_url(u)
when :osvdb
url = Output.osvdb_url(u)
when :cve
url = Output.cve_url(u)
when :exploitdb
url = Output.exploitdb_url(u)
else
url = u
end
puts ' | ' + red("* Reference: #{url}") if url
end
end
end
# @return [ String ] The url to the metasploit module page
def self.metasploit_module_url(module_path)
@@ -27,7 +39,19 @@ class Vulnerability
def self.cve_url(cve)
"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-#{cve}"
end
end
def self.osvdb_url(id)
"http://osvdb.org/#{id}"
end
def self.secunia_url(id)
"http://secunia.com/advisories/#{id}"
end
def self.exploitdb_url(id)
"http://www.exploit-db.com/exploits/#{id}/"
end
end
end

48
spec/lib/common/models/vulnerability_spec.rb
View File

@@ -5,10 +5,10 @@ require 'spec_helper'
describe Vulnerability do
describe '#new' do
subject(:vulnerability) { Vulnerability.new(title, type, references, modules, fixed_version) }
subject(:vulnerability) { Vulnerability.new(title, type, references, fixed_version) }
let(:title) { 'A vulnerability title' }
let(:type) { 'XSS' }
let(:references) { %w{http://ref1.com http://ref2.com} }
let(:references) { {:url => 'example.com', :metasploit => 'm', :exploitdb => 'e'} }
context 'w/o metasploit and fixed version modules argument' do
subject(:vulnerability) { Vulnerability.new(title, type, references) }
@@ -16,36 +16,15 @@ describe Vulnerability do
its(:title) { should be title }
its(:references) { should be references }
its(:type) { should be type }
its(:metasploit_modules) { should be_empty }
its(:fixed_in) { should be_empty }
its(:cve) { should be_empty }
end
context 'with metasploit modules argument' do
subject(:vulnerability) { Vulnerability.new(title, type, references, modules) }
let(:modules) { %w{exploit/some_exploit exploit/unix/anotherone } }
its(:metasploit_modules) { should be modules }
its(:fixed_in) { should be_empty }
its(:cve) { should be_empty }
end
context 'with metasploit modules and fixed version argument' do
let(:modules) { %w{exploit/some_exploit exploit/unix/anotherone } }
context 'with fixed version argument' do
let(:fixed_version) { '1.0' }
its(:metasploit_modules) { should be modules }
its(:fixed_in) { should == '1.0' }
its(:cve) { should be_empty }
end
context 'with cve argument' do
subject(:vulnerability) { Vulnerability.new(title, type, references, [], '', cve) }
let(:cve) { %w{2011-001 2011-002} }
its(:metasploit_modules) { should be_empty }
its(:fixed_in) { should be_empty }
its(:cve) { should be cve }
its(:title) { should be title }
its(:references) { should be references }
its(:type) { should be type }
its(:fixed_in) { should be fixed_version }
end
end
@@ -56,11 +35,18 @@ describe Vulnerability do
xml(MODELS_FIXTURES + '/vulnerability/xml_node.xml').xpath('//vulnerability')
}
expected_refs = {
:url=>['Ref 1', 'Ref 2'],
:cve=>['2011-001'],
:secunia=>['secunia'],
:osvdb=>['osvdb'],
:metasploit=>['exploit/ex1'],
:exploitdb=>['exploitdb']
}
its(:title) { should == 'Vuln Title' }
its(:type) { should == 'CSRF' }
its(:references) { should == ['Ref 1', 'Ref 2'] }
its(:metasploit_modules) { should == %w{exploit/ex1} }
its(:cve) { should == %w{2011-001} }
its(:references) { should == expected_refs}
its(:fixed_in) { should == '1.0'}
end

10
spec/lib/common/models/wp_item_spec.rb
View File

@@ -13,7 +13,15 @@ describe WpItem do
it_behaves_like 'WpItem::Vulnerable' do
let(:vulns_file) { MODELS_FIXTURES + '/wp_item/vulnerable/items_vulns.xml' }
let(:vulns_xpath) { "//item[@name='neo']/vulnerability" }
let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new("I'm the one", 'XSS', ['http://ref1.com']) }
let(:expected_refs) { {
:url => ['Ref 1', 'Ref 2'],
:cve => ['2011-001'],
:secunia => ['secunia'],
:osvdb => ['osvdb'],
:metasploit => ['exploit/ex1'],
:exploitdb => ['exploitdb']
} }
let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new("I'm the one", 'XSS', expected_refs) }
end
subject(:wp_item) { WpItem.new(uri, options) }

10
spec/lib/common/models/wp_plugin_spec.rb
View File

@@ -7,7 +7,15 @@ describe WpPlugin do
it_behaves_like 'WpItem::Vulnerable' do
let(:options) { { name: 'white-rabbit' } }
let(:vulns_file) { MODELS_FIXTURES + '/wp_plugin/vulnerable/plugins_vulns.xml' }
let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('Follow me!', 'REDIRECT', ['http://ref2.com']) }
let(:expected_refs) { {
:url => ['Ref 1', 'Ref 2'],
:cve => ['2011-001'],
:secunia => ['secunia'],
:osvdb => ['osvdb'],
:metasploit => ['exploit/ex1'],
:exploitdb => ['exploitdb']
} }
let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('Follow me!', 'REDIRECT', expected_refs) }
end
subject(:wp_plugin) { WpPlugin.new(uri, options) }

10
spec/lib/common/models/wp_theme_spec.rb
View File

@@ -8,7 +8,15 @@ describe WpTheme do
it_behaves_like 'WpItem::Vulnerable' do
let(:options) { { name: 'the-oracle' } }
let(:vulns_file) { MODELS_FIXTURES + '/wp_theme/vulnerable/themes_vulns.xml' }
let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('I see you', 'FPD', ['http://ref.com']) }
let(:expected_refs) { {
:url => ['Ref 1', 'Ref 2'],
:cve => ['2011-001'],
:secunia => ['secunia'],
:osvdb => ['osvdb'],
:metasploit => ['exploit/ex1'],
:exploitdb => ['exploitdb']
} }
let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('I see you', 'FPD', expected_refs) }
end
subject(:wp_theme) { WpTheme.new(uri, options) }

10
spec/lib/common/models/wp_version_spec.rb
View File

@@ -7,7 +7,15 @@ describe WpVersion do
it_behaves_like 'WpItem::Vulnerable' do
let(:options) { { number: '3.2' } }
let(:vulns_file) { MODELS_FIXTURES + '/wp_version/vulnerable/versions_vulns.xml' }
let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('Here I Am', 'SQLI', ['http://ref1.com']) }
let(:expected_refs) { {
:url => ['Ref 1', 'Ref 2'],
:cve => ['2011-001'],
:secunia => ['secunia'],
:osvdb => ['osvdb'],
:metasploit => ['exploit/ex1'],
:exploitdb => ['exploitdb']
} }
let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('Here I Am', 'SQLI', expected_refs) }
end
subject(:wp_version) { WpVersion.new(uri, options) }

13
spec/samples/common/models/vulnerability/xml_node.xml
View File

@@ -1,9 +1,14 @@
<vulnerability>
<title>Vuln Title</title>
<reference>Ref 1</reference>
<reference>Ref 2</reference>
<cve>2011-001</cve>
<references>
<metasploit>exploit/ex1</metasploit>
<url>Ref 1</url>
<url>Ref 2</url>
<cve>2011-001</cve>
<secunia>secunia</secunia>
<osvdb>osvdb</osvdb>
<exploitdb>exploitdb</exploitdb>
</references>
<type>CSRF</type>
<metasploit>exploit/ex1</metasploit>
<fixed_in>1.0</fixed_in>
</vulnerability>

20
spec/samples/common/models/wp_item/vulnerable/items_vulns.xml
View File

@@ -5,7 +5,15 @@
<item name="not-this-one">
<vulnerability>
<title>I should not appear in the results</title>
<reference>http://ref1.com</reference>
<references>
<metasploit>exploit/ex1</metasploit>
<url>Ref 1</url>
<url>Ref 2</url>
<cve>2011-001</cve>
<secunia>secunia</secunia>
<osvdb>osvdb</osvdb>
<exploitdb>exploitdb</exploitdb>
</references>
<type>RFI</type>
</vulnerability>
</item>
@@ -13,7 +21,15 @@
<item name="neo">
<vulnerability>
<title>I'm the one</title>
<reference>http://ref1.com</reference>
<references>
<metasploit>exploit/ex1</metasploit>
<url>Ref 1</url>
<url>Ref 2</url>
<cve>2011-001</cve>
<secunia>secunia</secunia>
<osvdb>osvdb</osvdb>
<exploitdb>exploitdb</exploitdb>
</references>
<type>XSS</type>
</vulnerability>
</item>

30
spec/samples/common/models/wp_plugin/vulnerable/plugins_vulns.xml
View File

@@ -4,12 +4,28 @@
<plugin name="mr-smith">
<vulnerability>
<title>I should not appear in the results</title>
<reference>http://ref1.com</reference>
<references>
<metasploit>exploit/ex1</metasploit>
<url>Ref 1</url>
<url>Ref 2</url>
<cve>2011-001</cve>
<secunia>secunia</secunia>
<osvdb>osvdb</osvdb>
<exploitdb>exploitdb</exploitdb>
</references>
<type>RCE</type>
</vulnerability>
<vulnerability>
<title>Neither do I</title>
<reference>http://ref3.com</reference>
<references>
<metasploit>exploit/ex1</metasploit>
<url>Ref 1</url>
<url>Ref 2</url>
<cve>2011-001</cve>
<secunia>secunia</secunia>
<osvdb>osvdb</osvdb>
<exploitdb>exploitdb</exploitdb>
</references>
<type>FPD</type>
</vulnerability>
</plugin>
@@ -17,7 +33,15 @@
<plugin name="white-rabbit">
<vulnerability>
<title>Follow me!</title>
<reference>http://ref2.com</reference>
<references>
<metasploit>exploit/ex1</metasploit>
<url>Ref 1</url>
<url>Ref 2</url>
<cve>2011-001</cve>
<secunia>secunia</secunia>
<osvdb>osvdb</osvdb>
<exploitdb>exploitdb</exploitdb>
</references>
<type>REDIRECT</type>
</vulnerability>
</plugin>

30
spec/samples/common/models/wp_theme/vulnerable/themes_vulns.xml
View File

@@ -4,12 +4,28 @@
<theme name="not-this-one">
<vulnerability>
<title>I should not appear in the results</title>
<reference>http://some-ref.com</reference>
<references>
<metasploit>exploit/ex1</metasploit>
<url>Ref 1</url>
<url>Ref 2</url>
<cve>2011-001</cve>
<secunia>secunia</secunia>
<osvdb>osvdb</osvdb>
<exploitdb>exploitdb</exploitdb>
</references>
<type>SQLI</type>
</vulnerability>
<vulnerability>
<title>Neither do I</title>
<reference>http://some-other-ref.com</reference>
<references>
<metasploit>exploit/ex1</metasploit>
<url>Ref 1</url>
<url>Ref 2</url>
<cve>2011-001</cve>
<secunia>secunia</secunia>
<osvdb>osvdb</osvdb>
<exploitdb>exploitdb</exploitdb>
</references>
<type>XSS</type>
</vulnerability>
</theme>
@@ -17,7 +33,15 @@
<theme name="the-oracle">
<vulnerability>
<title>I see you</title>
<reference>http://ref.com</reference>
<references>
<metasploit>exploit/ex1</metasploit>
<url>Ref 1</url>
<url>Ref 2</url>
<cve>2011-001</cve>
<secunia>secunia</secunia>
<osvdb>osvdb</osvdb>
<exploitdb>exploitdb</exploitdb>
</references>
<type>FPD</type>
</vulnerability>
</theme>

20
spec/samples/common/models/wp_version/vulnerable/versions_vulns.xml
View File

@@ -4,7 +4,15 @@
<wordpress version="3.5">
<vulnerability>
<title>I should not appear in the results</title>
<reference>http://ref2.com</reference>
<references>
<metasploit>exploit/ex1</metasploit>
<url>Ref 1</url>
<url>Ref 2</url>
<cve>2011-001</cve>
<secunia>secunia</secunia>
<osvdb>osvdb</osvdb>
<exploitdb>exploitdb</exploitdb>
</references>
<type>XSS</type>
</vulnerability>
</wordpress>
@@ -12,7 +20,15 @@
<wordpress version="3.2">
<vulnerability>
<title>Here I Am</title>
<reference>http://ref1.com</reference>
<references>
<metasploit>exploit/ex1</metasploit>
<url>Ref 1</url>
<url>Ref 2</url>
<cve>2011-001</cve>
<secunia>secunia</secunia>
<osvdb>osvdb</osvdb>
<exploitdb>exploitdb</exploitdb>
</references>
<type>SQLI</type>
</vulnerability>
</wordpress>

8
spec/shared_examples/wp_item_vulnerable.rb
View File

@@ -60,10 +60,10 @@ shared_examples 'WpItem::Vulnerable' do
let(:version_orig) { '1.5.6' }
let(:version_newer) { '1.6' }
let(:version_older) { '1.0' }
let(:newer) { Vulnerability.new('Newer', 'XSS', ['ref'], nil, version_newer) }
let(:older) { Vulnerability.new('Older', 'XSS', ['ref'], nil, version_older) }
let(:same) { Vulnerability.new('Same', 'XSS', ['ref'], nil, version_orig) }
let(:no_fixed_info) { Vulnerability.new('Same', 'XSS', ['ref'], nil, nil) }
let(:newer) { Vulnerability.new('Newer', 'XSS', { :url => ['http://ref.com'] }, version_newer) }
let(:older) { Vulnerability.new('Older', 'XSS', { :url => ['http://ref.com'] }, version_older) }
let(:same) { Vulnerability.new('Same', 'XSS', { :url => ['http://ref.com'] }, version_orig) }
let(:no_fixed_info) { Vulnerability.new('Same', 'XSS', { :url => ['http://ref.com'] }, nil) }
before do
stub_request(:get, /.*\/readme\.txt/i).to_return(status: 200, body: "Stable Tag: #{version_orig}")